version 1.63, 2016/08/27 20:43:05 |
version 1.64, 2016/08/28 19:34:15 |
|
|
The |
The |
.Nm crl |
.Nm crl |
command processes CRL files in DER or PEM format. |
command processes CRL files in DER or PEM format. |
The PEM CRL format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN X509 CRL----- |
|
-----END X509 CRL----- |
|
.Ed |
|
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
|
|
.It Fl outform Cm der | pem |
.It Fl outform Cm der | pem |
The output format. |
The output format. |
.It Fl text |
.It Fl text |
Print the CRL in text form. |
Print the CRL in plain text. |
.El |
.El |
.Sh CRL2PKCS7 |
.Sh CRL2PKCS7 |
.nr nS 1 |
.nr nS 1 |
|
|
.Ar file , |
.Ar file , |
or standard input if not specified. |
or standard input if not specified. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
Specify the CRL input format. |
The input format. |
.It Fl nocrl |
.It Fl nocrl |
Normally, a CRL is included in the output file. |
Normally, a CRL is included in the output file. |
With this option, no CRL is |
With this option, no CRL is |
|
|
.Ar file , |
.Ar file , |
or standard output if not specified. |
or standard output if not specified. |
.It Fl outform Cm der | pem |
.It Fl outform Cm der | pem |
Specify the PKCS#7 structure output format. |
The output format. |
.El |
.El |
.Sh DGST |
.Sh DGST |
.nr nS 1 |
.nr nS 1 |
|
|
or standard input if not specified. |
or standard input if not specified. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
uses an ASN1 DER-encoded form compatible with the PKCS#3 DHparameter |
|
structure. |
|
.Cm pem |
|
is the default: |
|
it consists of the DER format base64-encoded with |
|
additional header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN DH PARAMETERS----- |
|
-----END DH PARAMETERS----- |
|
.Ed |
|
.It Fl noout |
.It Fl noout |
Do not output the encoded version of the parameters. |
Do not output the encoded version of the parameters. |
.It Fl out Ar file |
.It Fl out Ar file |
|
|
.It Fl outform Cm der | pem |
.It Fl outform Cm der | pem |
The output format. |
The output format. |
.It Fl text |
.It Fl text |
Print the DH parameters in human readable form. |
Print the DH parameters in plain text. |
.It Ar numbits |
.It Ar numbits |
Generate a parameter set of size |
Generate a parameter set of size |
.Ar numbits . |
.Ar numbits . |
|
|
.Nm pkcs8 |
.Nm pkcs8 |
command. |
command. |
.Pp |
.Pp |
The PEM private key format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN DSA PRIVATE KEY----- |
|
-----END DSA PRIVATE KEY----- |
|
.Ed |
|
.Pp |
|
The PEM public key format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN PUBLIC KEY----- |
|
-----END PUBLIC KEY----- |
|
.Ed |
|
.Pp |
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Xo |
.It Xo |
|
|
If the key is encrypted, a pass phrase will be prompted for. |
If the key is encrypted, a pass phrase will be prompted for. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
with a private key uses an ASN1 DER-encoded form of an ASN.1 |
|
SEQUENCE consisting of the values of version |
|
.Pq currently zero , |
|
P, Q, G, |
|
and the public and private key components, respectively, as ASN.1 INTEGERs. |
|
When used with a public key it uses a |
|
.Em SubjectPublicKeyInfo |
|
structure: it is an error if the key is not DSA. |
|
.Pp |
|
.Cm pem |
|
is the default format: |
|
it consists of the DER format base64-encoded with additional header and footer |
|
lines. |
|
In the case of a private key, PKCS#8 format is also accepted. |
|
.It Fl modulus |
.It Fl modulus |
Print the value of the public key component of the key. |
Print the value of the public key component of the key. |
.It Fl noout |
.It Fl noout |
|
|
Output a public key, not a private key. |
Output a public key, not a private key. |
Automatically set if the input is a public key. |
Automatically set if the input is a public key. |
.It Fl text |
.It Fl text |
Print the public/private key components and parameters. |
Print the public/private key in plain text. |
.El |
.El |
.Sh DSAPARAM |
.Sh DSAPARAM |
.nr nS 1 |
.nr nS 1 |
|
|
.Nm dsaparam |
.Nm dsaparam |
command is used to manipulate or generate DSA parameter files. |
command is used to manipulate or generate DSA parameter files. |
.Pp |
.Pp |
PEM format DSA parameters use the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN DSA PARAMETERS----- |
|
-----END DSA PARAMETERS----- |
|
.Ed |
|
.Pp |
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl C |
.It Fl C |
|
|
parameter is included, then this option is ignored. |
parameter is included, then this option is ignored. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
uses an ASN1 DER-encoded form compatible with RFC 2459 |
|
.Pq PKIX |
|
DSS-Parms that is a SEQUENCE consisting of p, q and g, respectively. |
|
.Cm pem |
|
is the default format: |
|
it consists of the DER format base64-encoded with additional header |
|
and footer lines. |
|
.It Fl noout |
.It Fl noout |
Do not output the encoded version of the parameters. |
Do not output the encoded version of the parameters. |
.It Fl out Ar file |
.It Fl out Ar file |
|
|
.It Fl outform Cm der | pem |
.It Fl outform Cm der | pem |
The output format. |
The output format. |
.It Fl text |
.It Fl text |
Print the DSA parameters in human readable form. |
Print the DSA parameters in plain text. |
.It Ar numbits |
.It Ar numbits |
Generate a parameter set of size |
Generate a parameter set of size |
.Ar numbits . |
.Ar numbits . |
|
|
.Nm pkcs8 |
.Nm pkcs8 |
command. |
command. |
.Pp |
.Pp |
The PEM private key format uses the header and footer lines: |
|
.Bd -literal -offset indent |
|
-----BEGIN EC PRIVATE KEY----- |
|
-----END EC PRIVATE KEY----- |
|
.Ed |
|
.Pp |
|
The PEM public key format uses the header and footer lines: |
|
.Bd -literal -offset indent |
|
-----BEGIN PUBLIC KEY----- |
|
-----END PUBLIC KEY----- |
|
.Ed |
|
.Pp |
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl conv_form Ar arg |
.It Fl conv_form Ar arg |
|
|
If the key is encrypted a pass phrase will be prompted for. |
If the key is encrypted a pass phrase will be prompted for. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
with a private key uses |
|
an ASN.1 DER-encoded SEC1 private key. |
|
When used with a public key it |
|
uses the SubjectPublicKeyInfo structure as specified in RFC 3280. |
|
.Cm pem |
|
is the default format: |
|
it consists of the DER format base64-encoded |
|
with additional header and footer lines. |
|
In the case of a private key |
|
PKCS#8 format is also accepted. |
|
.It Fl noout |
.It Fl noout |
Do not output the encoded version of the key. |
Do not output the encoded version of the key. |
.It Fl out Ar file |
.It Fl out Ar file |
|
|
Output a public key, not a private key. |
Output a public key, not a private key. |
Automatically set if the input is a public key. |
Automatically set if the input is a public key. |
.It Fl text |
.It Fl text |
Print the public/private key components and parameters. |
Print the public/private key in plain text. |
.El |
.El |
.Sh ECPARAM |
.Sh ECPARAM |
.nr nS 1 |
.nr nS 1 |
|
|
.Nm ecparam |
.Nm ecparam |
can only create EC parameters from known (named) curves. |
can only create EC parameters from known (named) curves. |
.Pp |
.Pp |
PEM format EC parameters use the header and footer lines: |
|
.Bd -literal -offset indent |
|
-----BEGIN EC PARAMETERS----- |
|
-----END EC PARAMETERS----- |
|
.Ed |
|
.Pp |
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl C |
.It Fl C |
|
|
or standard input if not specified. |
or standard input if not specified. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
uses an ASN.1 DER-encoded |
|
form compatible with RFC 3279 EcpkParameters. |
|
.Cm pem |
|
is the default format: |
|
it consists of the DER format base64-encoded with additional |
|
header and footer lines. |
|
.It Fl list_curves |
.It Fl list_curves |
Print a list of all |
Print a list of all |
currently implemented EC parameter names and exit. |
currently implemented EC parameter names and exit. |
|
|
alternative, as specified in RFC 3279, |
alternative, as specified in RFC 3279, |
is currently not implemented. |
is currently not implemented. |
.It Fl text |
.It Fl text |
Print the EC parameters in human readable form. |
Print the EC parameters in plain text. |
.El |
.El |
.Sh ENC |
.Sh ENC |
.nr nS 1 |
.nr nS 1 |
|
|
The EC curve to use. |
The EC curve to use. |
.El |
.El |
.It Fl text |
.It Fl text |
Print an unencrypted text representation of private and public keys and |
Print the private/public key in plain text. |
parameters along with the DER or PEM structure. |
|
.El |
.El |
.Sh GENRSA |
.Sh GENRSA |
.nr nS 1 |
.nr nS 1 |
|
|
The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC 2315. |
The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC 2315. |
They cannot currently parse, for example, the new CMS as described in RFC 2630. |
They cannot currently parse, for example, the new CMS as described in RFC 2630. |
.Pp |
.Pp |
The PEM PKCS#7 format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN PKCS7----- |
|
-----END PKCS7----- |
|
.Ed |
|
.Pp |
|
For compatibility with some CAs it will also accept: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN CERTIFICATE----- |
|
-----END CERTIFICATE----- |
|
.Ed |
|
.Pp |
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl in Ar file |
.It Fl in Ar file |
|
|
or standard input if not specified. |
or standard input if not specified. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
format is a DER-encoded PKCS#7 v1.5 structure. |
|
.Cm pem |
|
(the default) |
|
is a base64-encoded version of the DER form with header and footer lines. |
|
.It Fl noout |
.It Fl noout |
Don't output the encoded version of the PKCS#7 structure |
Don't output the encoded version of the PKCS#7 structure |
(or certificates if |
(or certificates if |
|
|
If the key is encrypted, a pass phrase will be prompted for. |
If the key is encrypted, a pass phrase will be prompted for. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
If a PKCS#8 format key is expected on input, |
|
then either a |
|
DER- or PEM-encoded version of a PKCS#8 key will be expected. |
|
Otherwise the DER or PEM format of the traditional format private key is used. |
|
.It Fl nocrypt |
.It Fl nocrypt |
Generate an unencrypted PrivateKeyInfo structure. |
Generate an unencrypted PrivateKeyInfo structure. |
This option does not encrypt private keys at all |
This option does not encrypt private keys at all |
|
|
Output a public key, not a private key. |
Output a public key, not a private key. |
Automatically set if the input is a public key. |
Automatically set if the input is a public key. |
.It Fl text |
.It Fl text |
Print out the various public or private key components in plain text |
Print the public/private key in plain text. |
in addition to the encoded version. |
|
.It Fl text_pub |
.It Fl text_pub |
Print out only public key components |
Print out only public key components |
even if a private key is being processed. |
even if a private key is being processed. |
|
|
The output file to write to, |
The output file to write to, |
or standard output if not specified. |
or standard output if not specified. |
.It Fl text |
.It Fl text |
Print the parameters in plain text, in addition to the encoded version. |
Print the parameters in plain text. |
.El |
.El |
.Sh PKEYUTL |
.Sh PKEYUTL |
.nr nS 1 |
.nr nS 1 |
|
|
are not specified. |
are not specified. |
.It Fl inform Cm der | pem |
.It Fl inform Cm der | pem |
The input format. |
The input format. |
.Cm der |
|
uses an ASN1 DER-encoded form compatible with the PKCS#10. |
|
.Cm pem |
|
is the default format: |
|
it consists of the DER format base64-encoded with additional header and |
|
footer lines. |
|
.It Fl key Ar keyfile |
.It Fl key Ar keyfile |
The file to read the private key from. |
The file to read the private key from. |
It also accepts PKCS#8 format private keys for PEM format files. |
It also accepts PKCS#8 format private keys for PEM format files. |
|
|
.Fl x509 |
.Fl x509 |
is specified). |
is specified). |
.It Fl text |
.It Fl text |
Print the certificate request in text form. |
Print the certificate request in plain text. |
.It Fl utf8 |
.It Fl utf8 |
Interpret field values as UTF8 strings, not ASCII. |
Interpret field values as UTF8 strings, not ASCII. |
.It Fl verbose |
.It Fl verbose |
|
|
Any additional fields will be treated as though they were a |
Any additional fields will be treated as though they were a |
.Cm DirectoryString . |
.Cm DirectoryString . |
.Pp |
.Pp |
The header and footer lines in the PEM format are normally: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN CERTIFICATE REQUEST----- |
|
-----END CERTIFICATE REQUEST----- |
|
.Ed |
|
.Pp |
|
Some software instead needs: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN NEW CERTIFICATE REQUEST----- |
|
-----END NEW CERTIFICATE REQUEST----- |
|
.Ed |
|
.Pp |
|
The following messages are frequently asked about: |
The following messages are frequently asked about: |
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
Using configuration from /some/path/openssl.cnf |
Using configuration from /some/path/openssl.cnf |
|
|
See the description |
See the description |
.Fl asn1-kludge |
.Fl asn1-kludge |
for more information. |
for more information. |
.\" |
|
.\" RSA |
|
.\" |
|
.Sh RSA |
.Sh RSA |
.nr nS 1 |
.nr nS 1 |
.Nm "openssl rsa" |
.Nm "openssl rsa" |
.Bk -words |
.Op Fl aes128 | aes192 | aes256 | des | des3 |
.Oo |
|
.Fl aes128 | aes192 | aes256 | |
|
.Fl des | des3 |
|
.Oc |
|
.Op Fl check |
.Op Fl check |
.Op Fl in Ar file |
.Op Fl in Ar file |
.Op Fl inform Ar DER | NET | PEM |
.Op Fl inform Cm der | net | pem |
.Op Fl modulus |
.Op Fl modulus |
.Op Fl noout |
.Op Fl noout |
.Op Fl out Ar file |
.Op Fl out Ar file |
.Op Fl outform Ar DER | NET | PEM |
.Op Fl outform Cm der | net | pem |
.Op Fl passin Ar arg |
.Op Fl passin Ar arg |
.Op Fl passout Ar arg |
.Op Fl passout Ar arg |
.Op Fl pubin |
.Op Fl pubin |
|
|
.Op Fl sgckey |
.Op Fl sgckey |
.Op Fl text |
.Op Fl text |
.nr nS 0 |
.nr nS 0 |
.Ek |
|
.Pp |
.Pp |
The |
The |
.Nm rsa |
.Nm rsa |
command processes RSA keys. |
command processes RSA keys. |
They can be converted between various forms and their components printed out. |
They can be converted between various forms and their components printed out. |
.Pp |
.Nm rsa |
.Sy Note : |
uses the traditional |
this command uses the traditional |
|
.Nm SSLeay |
.Nm SSLeay |
compatible format for private key encryption: |
compatible format for private key encryption: |
newer applications should use the more secure PKCS#8 format using the |
newer applications should use the more secure PKCS#8 format using the |
|
|
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Xo |
.It Fl aes128 | aes192 | aes256 | des | des3 |
.Fl aes128 | aes192 | aes256 | |
Encrypt the private key with the AES, DES, |
.Fl des | des3 |
|
.Xc |
|
These options encrypt the private key with the AES, DES, |
|
or the triple DES ciphers, respectively, before outputting it. |
or the triple DES ciphers, respectively, before outputting it. |
A pass phrase is prompted for. |
A pass phrase is prompted for. |
If none of these options are specified, the key is written in plain text. |
If none of these options are specified, the key is written in plain text. |
|
|
it can be used to add or change the pass phrase. |
it can be used to add or change the pass phrase. |
These options can only be used with PEM format output files. |
These options can only be used with PEM format output files. |
.It Fl check |
.It Fl check |
This option checks the consistency of an RSA private key. |
Check the consistency of an RSA private key. |
.It Fl in Ar file |
.It Fl in Ar file |
This specifies the input |
The input file to read from, |
.Ar file |
or standard input if not specified. |
to read a key from, or standard input if this |
|
option is not specified. |
|
If the key is encrypted, a pass phrase will be prompted for. |
If the key is encrypted, a pass phrase will be prompted for. |
.It Fl inform Ar DER | NET | PEM |
.It Fl inform Cm der | net | pem |
This specifies the input format. |
The input format. |
The |
|
.Ar DER |
|
argument |
|
uses an ASN1 DER-encoded form compatible with the PKCS#1 |
|
RSAPrivateKey or SubjectPublicKeyInfo format. |
|
The |
|
.Ar PEM |
|
form is the default format: it consists of the DER format base64-encoded with |
|
additional header and footer lines. |
|
On input PKCS#8 format private keys are also accepted. |
|
The |
|
.Ar NET |
|
form is a format described in the |
|
.Sx RSA NOTES |
|
section. |
|
.It Fl noout |
.It Fl noout |
This option prevents output of the encoded version of the key. |
Do not output the encoded version of the key. |
.It Fl modulus |
.It Fl modulus |
This option prints out the value of the modulus of the key. |
Print the value of the modulus of the key. |
.It Fl out Ar file |
.It Fl out Ar file |
This specifies the output |
The output file to write to, |
.Ar file |
or standard output if not specified. |
to write a key to, or standard output if this option is not specified. |
.It Fl outform Cm der | net | pem |
If any encryption options are set, a pass phrase will be prompted for. |
The output format. |
The output filename should |
|
.Em not |
|
be the same as the input filename. |
|
.It Fl outform Ar DER | NET | PEM |
|
This specifies the output format; the options have the same meaning as the |
|
.Fl inform |
|
option. |
|
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
.It Fl pubin |
.It Fl pubin |
By default, a private key is read from the input file; with this |
Read in a public key, |
option a public key is read instead. |
not a private key. |
.It Fl pubout |
.It Fl pubout |
By default, a private key is output; |
Output a public key, |
with this option a public key will be output instead. |
not a private key. |
This option is automatically set if the input is a public key. |
Automatically set if the input is a public key. |
.It Fl sgckey |
.It Fl sgckey |
Use the modified |
Use the modified NET algorithm used with some versions of Microsoft IIS |
.Em NET |
and SGC keys. |
algorithm used with some versions of Microsoft IIS and SGC keys. |
|
.It Fl text |
.It Fl text |
Prints out the various public or private key components in |
Print the public/private key components in plain text. |
plain text, in addition to the encoded version. |
|
.El |
.El |
.Sh RSA NOTES |
|
The PEM private key format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN RSA PRIVATE KEY----- |
|
-----END RSA PRIVATE KEY----- |
|
.Ed |
|
.Pp |
|
The PEM public key format uses the header and footer lines: |
|
.Bd -unfilled -offset indent |
|
-----BEGIN PUBLIC KEY----- |
|
-----END PUBLIC KEY----- |
|
.Ed |
|
.Pp |
|
The |
|
.Em NET |
|
form is a format compatible with older Netscape servers |
|
and Microsoft IIS .key files; this uses unsalted RC4 for its encryption. |
|
It is not very secure and so should only be used when necessary. |
|
.Pp |
|
Some newer version of IIS have additional data in the exported .key files. |
|
To use these with the |
|
.Nm rsa |
|
utility, view the file with a binary editor |
|
and look for the string |
|
.Qq private-key , |
|
then trace back to the byte sequence 0x30, 0x82 |
|
.Pq this is an ASN1 SEQUENCE . |
|
Copy all the data from this point onwards to another file and use that as |
|
the input to the |
|
.Nm rsa |
|
utility with the |
|
.Fl inform Ar NET |
|
option. |
|
If there is an error after entering the password, try the |
|
.Fl sgckey |
|
option. |
|
.Sh RSA EXAMPLES |
|
To remove the pass phrase on an RSA private key: |
|
.Pp |
|
.Dl $ openssl rsa -in key.pem -out keyout.pem |
|
.Pp |
|
To encrypt a private key using triple DES: |
|
.Pp |
|
.Dl $ openssl rsa -in key.pem -des3 -out keyout.pem |
|
.Pp |
|
To convert a private key from PEM to DER format: |
|
.Pp |
|
.Dl $ openssl rsa -in key.pem -outform DER -out keyout.der |
|
.Pp |
|
To print out the components of a private key to standard output: |
|
.Pp |
|
.Dl $ openssl rsa -in key.pem -text -noout |
|
.Pp |
|
To just output the public part of a private key: |
|
.Pp |
|
.Dl $ openssl rsa -in key.pem -pubout -out pubkey.pem |
|
.Sh RSA BUGS |
|
The command line password arguments don't currently work with |
|
.Em NET |
|
format. |
|
.Pp |
|
There should be an option that automatically handles .key files, |
|
without having to manually edit them. |
|
.\" |
.\" |
.\" RSAUTL |
.\" RSAUTL |
.\" |
.\" |
|
|
Read the password from standard input. |
Read the password from standard input. |
.El |
.El |
.Pp |
.Pp |
File formats, |
Input/output formats, |
typically specified using |
typically specified using |
.Fl inform |
.Fl inform |
and |
and |
.Fl outform , |
.Fl outform , |
indicate the type of file being read from |
indicate the format being read from or written to. |
or the file format to write. |
|
The argument is case insensitive. |
The argument is case insensitive. |
.Pp |
.Pp |
.Bl -tag -width Ds -offset indent -compact |
.Bl -tag -width Ds -offset indent -compact |
.It Cm der |
.It Cm der |
Distinguished Encoding Rules (DER) |
Distinguished Encoding Rules (DER) |
is a binary format. |
is a binary format. |
|
.It Cm net |
|
Insecure legacy format. |
.It Cm pem |
.It Cm pem |
Privacy Enhanced Mail (PEM) |
Privacy Enhanced Mail (PEM) |
is base64-encoded. |
is base64-encoded. |